Hacking on Vacation (Autumn, 2002)
----------------------------------
By Eric

I'll start with Disney World. Both WDW (Walt Disney World) and Universal
Studios/ Islands of Adventure have a "Fast Pass" system (Universal calls it
"Universal Express") that allows you to get a ticket for a certain time slot
(usually anywhere from ten minutes to an hour ahead). When the time slot comes
around, you can go to the head of the line (actually, get into a separate,
shorter, Fast Pass line). Now, the WDW and US/IOA tickets are only checked by
an attendant no electronic verification is used. And the attendant looks at two
things: the color/background of the ticket that indicates the ride for which it
is valid, and the black, thermally printed text that indicates what time slot
it is for. Universal Express tickets are printed on card stock and have
preprinted generic backs (not ride particular) and have low-resolution
(thermally?) printed fronts that have the time slot (in Comic Sans MS font) and
ride logo. Since the Fast Pass/Universal Express tickets are free and easy to
get, a dishonest person would have rather little difficulty reproducing them.

The WDW Fast Pass system uses a simple client/server topology; where the
dispenser boxes read the magnetic stripe on the park pass (the one you paid
$50+ for), and send it to the central server using "Black Box" short haul
modems. (Black Box is the name of the modem model or manufacturer; I was not
able to find out which.) They're secured by a lock on the back that needs to be
unlocked before the half-moon handle can be turned to unlock the cover of the
clients; the lock appears to be a standard pin- or disc-tumbler type. I know
that Disney offers $200, 6-hour behind-thescenes tours of the utility tunnel
system and stuff like that for people over 16, photo ID required at the gate.
(If it's fake and they find out, you're out $200.) If any reader goes on one of
these tours, please write in!

An interesting fact; some of the LED signs in US/IOA have DB9 and PS/2-type
connectors hanging off the back. I wonder....

At some of the more expensive themed restaurants in the area (NBA City in the
Universal Studios shopping area just outside the park, for example) the "your
table is ready" notification system uses things called TouchPaks. What is
really cool about these is that they are literally just Compaq iPaqs with the
double the weight and thickness  PCMCIA adapter, an Orinoco WLAN card, a
special system extension that is customized to the restaurant - in this case, a
basketball theme that allows the user to play trivia games and watch movies - in
a special "tamper-proof" case. **cough** The trick is with the snaps on the
back. They are damn near impossible to open by hand or even by screwdriver
unless you know the trick, possibly because of the punched dot on their backs.
So anyway, what you do is take out your handy flathead screwdriver (on your
SwissTool or whatever) and slide the blade under the snap, between the female
and male parts. Stick it opposite the punched dot, but not exactly opposite.
Some experimentation is needed. I think the trick is to get the corner of the
screwdriver s head opposite the dot, but I am not sure. Twist the screwdriver.
If you did it right, the snap should lever off with a small amount of force; if
you didn't get it right then it won't do anything (except break, if you twist
too hard).

To put the snaps back on, you need to find the small black tab on the inside
rim of the female half of the snap. It's that tab that makes them tough to put
back on, so just tilt the snap so the black tab is closest to the male
snap-half and push the female down so the black tab hooks under the rim of the
male and then you can push the rest of the female down and she ll snap right
back in.

Why would one want to access the hardware? The reset button of course! You see,
the WinCE UI is protected from "hacking" by the fact that the extension 
("overlayh" UI) runs at boot and intercepts all button presses. However, if the
battery reaches ten percent, the custom UI will drop the user into a "Low
battery, please see the hostess" screen, with the start menu in the upper-left
corner! To get the battery down that low, you can either wait a while, or play
some movies. (NBACity's custom UI lets you watch short basketball movies, and
the MPEG decoder makes the CPU suck juice like you would not believe.)
Incidentally, while you're looking around in the WinCE UI, the overlay UI might
not be able to receive signals from the base, so you may want to do the hacking
on a busy night when you know it'll be quite a while until your table is ready.
Reset the unit to restore it to its original state.

The custom software receives the  table ready  signal using a standard 802.11b
network (NBACity's SSID is "NBA") that is not WEP encoded. However, the range
apparently does not extend very far outside the restaurant, at least without a
directional antenna. Regardless, I doubt the network is Internet-connected, so
all one could do would be to sniff and reverse-engineer the protocol. Which
would be interesting.... (If you do R-E it, please write!)

The base station in the restaurant is an Intermec "Handheld PC" mini-laptop (in
NBA City, located just inside the second entrance doors on a small table)
running custom software and using a Cisco Aironet card. Apparently, although
there is a "custom message" button in the software, the feature is not yet
implemented. Perhaps in the future, or with a bit of sniffing of the message
protocol, one could figure out how to send "All Your Tables Are Belong To Us."

Orlando is not the only place you can fiddle around. In many European tourist
spots where you can take a self-guided audio tour, you get a squarish black box
manufactured by "AntennAudio." It has a row of numbered buttons at the top of
the faceplate, and on either side of the LCD display, you have the red stop
button, a back button, up and down buttons, and the green play button. The back
plate of the unit holds two gold-plated nubs, some recessed contacts to charge
the battery, and the on/off slide switch. (Do not turn the unit off unless you
speak the local language, as turning it off resets the language. I found out
the hard way.) The side panel has a headphone jack and a PS/2-type connector,
used to program the unit. When the unit boots up, you can pause the boot
sequence by holding down the stop button (it continues when you let go), which
is pretty useless, and it displays some rudimentary version information, also
pretty useless except for the fact that it tells you that there s some kind of
internal memory and processing capability.

As you might guess from the noises it makes when you type in a location code to
hear the prerecorded description of what you are looking at, it is just a
glorified portable CD player. What you might not guess is that the only thing
holding it shut is four or five medium-small Phillips head screws that a handy
SwissTool will take care of. If you undo the screws on the  AntennAudio
sticker side and open the cover (being careful not to lose the screws!) you get
access to the CD. I did not have time to stick it into my laptop, so I am not
sure if the sound files are stored as CD tracks or as data (MP3?). Presumably,
the CD would also be able to carry firmware (as it seems to be updatable, since
there s a date and version number in the boot screen), so I suspect the latter.

With a bit of hacking, I imagine one would be able to burn a replacement CD;
quite handy for those long boring tours. As long as you remember to replace the
original when you're done! Note I do not advocate changing the tour CD and
leaving it in there, regardless of how incorrect or boring the current CD is.

There s another type of audio guide that looks like a really long, skinny
remote control and has a remarkably cell-phone-like screen (used at a Roman
theatre in southern France) and can take up to four digits for the "commentary
code" where typing in 9999 will let you change the language. But that's all I
could find.

Something to remember if you go into a French post office: the iMac-based
Internet terminals (with a card reader for some kind of credit card) run a
pre-OSX variant and use AtEase for protection; pressing Apple-Power (the power
key is hidden under a metal strip at the top right of the keyboard, accessible
by paperclip or SwissTool - small flathead screwdriver) will bring up the
rudimentary debugger, typing G FINDER should get you to the finder. (PC users:
the finder is the equivalent of EXPLORER.EXE; try terminating it in the Close
Programs dialog box, or Processes dialog in Win2k/XP, to see what it does.)
From there you should be able to find Netscape or whatever. Rebooting will
restore it to its original state. Similar but simpler, PC@EASY terminals in
airports have the Ethernet cable accessible at the bottom-right corner of the
monitor, just behind the bezel. Plugging in a laptop and getting a DHCP address
works, but is unethical....

Have fun! And remember, leave no trace.